A number of HTML filtering bugs were found in SquirrelMail that
could allow an attacker to inject arbitrary JavaScript leading to
cross-site scripting attacks by sending an email viewed by a user
within SquirrelMail (CVE-2007-1262).

As well, SquirrelMail did not sufficiently check arguments to IMG tags
in HTML messages that could be exploited by an attacker by sending
arbitrary email messges on behalf of a SquirrelMail user tricked into
opening a maliciously-crafted HTML email message (CVE-2007-2589).

The packages provided have been updated to correct these
vulnerabilities; Corporate Server 4 has been upgraded to SquirrelMail
1.4.10a and Corporate Server 3 has been patched to protect against
these issues.